This mode is one of main motivation behind this code. The idea is to
be able to ask to Suricata to treat different pcap files without
having to restart Suricata between the files. This provides you a huge
gain in time as you don’t need to wait for the signature engine to
initialize.

To use this mode, start suricata with your preferred YAML file and
provide the option --unix-socket as argument:

suricata-c/etc/suricata-full-sigs.yaml--unix-socket

It is also possible to specify the socket filename as argument:

suricata--unix-socket=custom.socket

In this last case, you will need to provide the complete path to the
socket to suricatasc. To do so, you need to pass the filename as
first argument of suricatasc:

suricatasccustom.socket

Once Suricata is started, you can use the provided script
suricatasc to connect to the command socket and ask for pcap
treatment:

You can add multiple files without waiting the result: they will be
sequentially processed and the generated log/alert files will be put
into the directory specified as second arguments of the pcap-file
command. You need to provide absolute path to the files and directory
as suricata don’t know from where the script has been run.

There is one thing to be careful about: a suricata message is sent in
multiple send operations. This result in possible incomplete read on
client side. The worse workaround is to sleep a bit before trying a
recv call. An other solution is to use non blocking socket and retry a
recv if the previous one has failed. This method is used here:
source:scripts/suricatasc/suricatasc.in#L43